api: do not advertise all forms for backoffice submission to admins (#36988)

This commit is contained in:
Frédéric Péters 2019-10-16 16:17:35 +02:00
parent 7c02aac054
commit b876213f44
2 changed files with 7 additions and 8 deletions

View File

@ -464,13 +464,13 @@ def test_backoffice_submission_formdef_list(pub, local_user):
assert resp.json['err'] == 0
assert len(resp.json['data']) == 0
# ... unless user is admin
# even if user is admin
local_user.is_admin = True
local_user.store()
resp = get_app(pub).get(sign_uri('/api/formdefs/?backoffice-submission=on&NameID=%s' %
local_user.name_identifiers[0]))
assert resp.json['err'] == 0
assert len(resp.json['data']) == 1
assert len(resp.json['data']) == 0
local_user.is_admin = False
local_user.store()

View File

@ -464,12 +464,11 @@ class ApiFormdefsDirectory(Directory):
elif backoffice_submission:
if not formdef.backoffice_submission_roles:
continue
if not list_all_forms:
for role in user.get_roles():
if role in formdef.backoffice_submission_roles:
break
else:
continue
for role in user.get_roles():
if role in formdef.backoffice_submission_roles:
break
else:
continue
elif formdef.roles and user is None and list_all_forms:
# anonymous API call, mark authentication as required
authentication_required = True